People Don't Read Privacy Policies... But Want Them To Be Clearer

from the sounds-good-to-me dept

We already know that people don't read online privacy policies and often (falsely) assume that if there's any such privacy policy it means their data is safe. There are, of course, even questions as to whether or not a privacy policy is even valid if no one reads it. Still, many consumer and privacy activists continue to act as if the privacy policy is a key aspect of online privacy. In fact, regulators in both the UK and the US seem to be admitting no one reads privacy policies, but demanding they are improved anyway. Specifically, a study done by regulators in the UK shows that 71% of people don't read privacy policies, but 62% want them clearer.

Now, you could make the argument that the reason people don't read privacy policies is because they are too confusing and not at all clear. And, there's something to be said for simplifying privacy policies. To be honest, I'm surprised no one has come up with a Creative Commons-like standard setup for privacy policies (pick and choose a few attributes, have nice images, and make it all clear in a single link). However, it seems to be focused on the wrong issue. It seems likely that the uselessness of privacy policies has a lot more to do with the fact that people don't care (or they don't believe any privacy policy, no matter how clear) or that they think no matter what the privacy policy is, it won't matter once the data is leaked or the company changes its policy. So rather than focusing on creating better privacy policies, shouldn't the focus be on what companies actually do rather than what they say they do?

19 Comments | Leave a Comment..

Does It Really Matter How Complex Privacy Policies Are?

from the not-really dept

Slashdot points out that a recent study of various privacy policies shows that most are at an extremely high reader level, in some cases ridiculously high. Of course, this is used to suggest that people don't understand the privacy policies they read -- but that's been known for years. But the issue has little to do with the policies themselves, because no one tends to read them, no matter how readable (or not) they are. In fact, many people falsely assume that the very presence of any policy means that their privacy is safe. So, even if a site has a privacy policy that says "you have no privacy, and we'll reveal all your data to whoever pays top dollar," people won't read it and will assume that a site will keep their data private. That's because people assume that any privacy policy means the site takes privacy seriously, even if that's not the case. Given that, it doesn't really matter how readable the privacy policy is, people aren't going to read it and aren't going to pay attention to what it says if they do read it. It seems like privacy policies, in general, are simply a relic of a legal system, rather than anything actually useful. Instead of focusing on the readability of privacy policies, shouldn't we be looking for a better solution altogether?

18 Comments | Leave a Comment..

Computers Are Programmed By People Not Magic

from the trust-but-verify dept

Ben Adida has a great post discussing the misplaced faith people often have in the machines in their lives, and the way that faith often spills over to e-voting. He mentions a scene in the 2006 HBO documentary on e-voting where an election official breaks down in tears when someone shows her how her voting machines could be hacked. For computer programmers, who are intimately familiar with what goes on under the hood, the idea that we should automatically trust anything a machine tells us is a little bit ridiculous. We're aware that computers are extremely complex devices that can go wrong in any number of ways, that they're designed by fallible human beings, and that it requires a lot of very careful engineering to make sure they're secure and reliable. We recognize, in particular, that the more complex a system is, the more likely it is to have problems, and so the more skeptical we should be of its results. It's not a coincidence that $5 pocket calculators tend to work flawlessly, while complex systems like Excel and the Pentium chip sometimes make basic arithmetic errors: the greater complexity increases the number of ways things can go wrong.

But a lot of non-technical folks seem to view things the other way around. Last week, for example, I noted a a Chicago law professor who thinks that "the future is surely with the touch-screen or some other form of online voting." The problem with this statement is that if our goal is security and reliability, which it should be, the added complexity of computers and touchscreens is a big disadvantage. But this isn't obvious if you've never looked under the hood to appreciate all the things that could go wrong. Computers are not magical boxes that always produce the correct answer, but unfortunately, a lot of people seem to think that they are.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

33 Comments | Leave a Comment..

More Isn't Necessarily Better When It Comes To Preferences

from the keep-it-simple-stupid dept

Facebook has unveiled a new set of privacy settings that have been getting some positive reviews in some quarters. While I'm always happy to see a company that's not afraid to experiment with new privacy protections, I think Facebook has some more work to do on this one.

One problem has been identified by Chris Soghoian: if you're in an academic network, you can theoretically limit access to your profile based on each viewer's academic status at your institution. So if you're an undergrad, you can set things up so that your friends can see those pictures of you doing body shots, but your professors and TAs can't. The problem is that apparently, peoples' status is self-reported, and can easily be changed. So a nosy grad student could temporarily switch his status to "undergrad" and to get access to an undergraduate's photos. This seems like a problem.

The more fundamental flaw, I think, is that there are now way too many options. The exact options I see on my Facebook account are different from the ones Chris sees, presumably because he's a student and I'm not. But on my version of the preferences, there are a dozen categories of information, each of which have 6 to 8 different options. For example, there are separate privacy settings for "profile," "basic info," and "personal info." Do you have any idea what is in each of those categories? I don't. And then you have to decide whether each category will be available to "Only Me," "Some Friends," "All Friends," and "Friends of Friends." And you have to decide which of your "networks" will be able to see that information. And you can provide a list of people to exclude.

This is a bewildering array of options, and it's likely to retard the usefulness of Facebook's privacy features. When it comes to user preferences, a handful of carefully chosen options is better than allowing users to adjust every conceivable setting. A well-designed user-interface should economize on the user's valuable time and attention by giving him a reasonable number of options that encompass the most likely use cases. If you give users a huge number of options, most of them will give up in frustration, leaving them in a much worse position, privacy-wise, than if you'd given them a smaller menu of easy-to-understand options to choose from.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

6 Comments | Leave a Comment..

Massive Cyberattacks Like Hacking The Weather?

from the which-is-a-bigger-worry? dept

For years, fear mongerers from industry and government have been warning about the growing threat of "cyberwar" and "cyberattacks" where hackers would totally take down important critical systems that rely on the internet. The reality, however, is that it's not so easy for hackers to do this. In fact it's been exceedingly rare that hack attacks cause huge problems, taking down critical systems on a massive basis (though, they can do plenty of localized damage). Instead, as the NY Times notes, it seems that all of the big computing disasters lately have much more to do with overly complex computing systems, where some bug triggers a catastrophic failure. The article mentions things like the recent United Airlines computer problems and the recent Skype downtime, both of which were attributed to computer failures rather than malicious attacks (though, there's some debate over how true those explanations are). One of the most interesting points made in the article is that the complexity of many computing systems has reached such a level that pinpointing problems is a lot more like forecasting the weather than anything else. You have some general idea of where the problems might occur, but there's a lot of guesswork involved. Of course, it could be that this level of complexity is exactly why hacking attacks haven't been able to bring down most major systems. It's the same thing as the various (failed) attempts to control the weather. There are just too many variables to deal with.

14 Comments | Leave a Comment..